thank you VJ and all other netpros who have contributed.

Would storm control be a good practice to mitigate this kind of sceanario?

Hi,

I haven't tried that option and hence not sure whether it would help.

However the storm control works by limiting the traffic level on the port, till the storm reduces.

In this scenario, until the loop is identified and corrected, the issue is going to be persistent.

Also Using storm control may leave this scenario unnoticed.

-VJ

Hi VJ,

Got any solution to this?

This can be cisco's vulnerability issue. We are encountering the same problem.

Thanks,

Jeff

Hi Jeff,

As far as i know, no solution exists for this race around condition.

If two "port fast" enabled ports are looped, it will create a mess in the network.

Because the switch will never send a BPDU via a port fast enabled port. Hence there is no way the switch can detected that both the ports are looped.

It is better to disable the port fast in this scenario.

If you encounter any solution, kindly keep us all posted.

Regards

VJ

Thanks for the info. I'll have a conference call tomorrow with our local cisco systems and see if they have a solution. I'll keep you posted.

You are probably talking about the global portfast bpdufilter command, because BPDUs do get sent on portfast enabled ports.

I don't know much about the IP phone, but even if it is not running STP, it could still relay the BPDUs and then the switch behind the phone could detect a loop.

I would not be surprised if the problem was rather related to configuring bpdufilter on the ports (which indeed prevents BPDU transmit and receive). Else, if indeed the IP phone is filtering BPDUs, there is nothing STP can do here.

Port security allows you to shut down a port after a certain number of mac addresses have been learnt on it. When you have a bridging loop, flooded traffic coming from the backbone will go through your access ports, and you are very likely to learn lots of mac addresses and discover the problem. I think the feature might help here.

Regards,

Francois

One thing i hate about this problem is that we are using CE500. Unfortunately, not much to be configured.

This is easily reproduced. Plug both ports of the ip phone to both ports of the switch with portfast enabled.

Yea Agree, after initial use of CE500 found its many limitations, despite of its lower cost, looking at the features and functions, I do not think its worth the take. thats why during my second phase of project implementation, I totally rule CE500 out of the picture.

I've tried implementing port-security controls limiting mac address, enable BPDU-guard and broadcast storm, worked for me so far.

To add on, this is a prevalent problem of Cisco, Cisco should address this issue not for end users like us to figure out work arounds if their product is so vulnerable.

I'm frustrated because I don't have the equipment to test this myself, but I'm really surprised. Do you think this is specific to the CE500? I'm trying to figure out if the problem is with the CE500 not sending BPDUs on portfast enabled ports (which is wrong, a portfast enable port *does* run STP), or the IP phone filtering BPDUs (which would not be very clever either btw).

In that setup, I can perfectly see a temporary bridging loop, but it should end as soon as the switch ports hear of each other.

Thanks and regards,

Francois

I do not think that the problem is specific to CE500 only. Haven't tested it though. The one who openned this topic may not be using CE500.

Any ip phone would also do. Just borrow any phone you see. :-)

Our customer encountered it using 7912 ip phone. While lacking that particular ip phone on the lab, we used 7940 that is available.

Not really sure what the architechure of the ip phone is but it should have some mechanism to tell the switch to block one port.

Anyway, our local cisco will be the one opening the case to TAC in order to solve this problem since it is concerning their product. I hope we get an answer soon. Our client is very concern about security issues.